github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/tests/SMB_RPC/test_rrp.py (about) 1 ############################################################################### 2 # Tested so far: 3 # 4 # OpenClassesRoot 5 # OpenCurrentUser 6 # OpenLocalMachine 7 # OpenPerformanceData 8 # OpenUsers 9 # BaseRegCloseKey 10 # BaseRegCreateKey 11 # BaseRegDeleteKey 12 # BaseRegFlushKey 13 # BaseRegGetKeySecurity 14 # BaseRegOpenKey 15 # BaseRegQueryInfoKey 16 # BaseRegQueryValue 17 # BaseRegReplaceKey 18 # BaseRegRestoreKey 19 # BaseRegSaveKey 20 # BaseRegSetValue 21 # BaseRegEnumValue 22 # BaseRegEnumKey 23 # BaseRegGetVersion 24 # OpenCurrentConfig 25 # BaseRegQueryMultipleValues 26 # BaseRegSaveKeyEx 27 # OpenPerformanceText 28 # OpenPerformanceNlsText 29 # BaseRegQueryMultipleValues2 30 # BaseRegDeleteKeyEx 31 # BaseRegLoadKey 32 # BaseRegUnLoadKey 33 # BaseRegDeleteValue 34 # 35 # Not yet: 36 # 37 # BaseRegSetKeySecurity 38 # 39 # Shouldn't dump errors against a win7 40 # 41 ################################################################################ 42 43 from __future__ import division 44 from __future__ import print_function 45 import unittest 46 try: 47 import ConfigParser 48 except ImportError: 49 import configparser as ConfigParser 50 51 from impacket.dcerpc.v5 import transport 52 from impacket.dcerpc.v5 import epm, rrp, scmr 53 from impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED, OWNER_SECURITY_INFORMATION 54 55 56 class RRPTests(unittest.TestCase): 57 def connect_scmr(self): 58 rpctransport = transport.DCERPCTransportFactory(r'ncacn_np:%s[\pipe\svcctl]' % self.machine) 59 if len(self.hashes) > 0: 60 lmhash, nthash = self.hashes.split(':') 61 else: 62 lmhash = '' 63 nthash = '' 64 if hasattr(rpctransport, 'set_credentials'): 65 # This method exists only for selected protocol sequences. 66 rpctransport.set_credentials(self.username, self.password, self.domain, lmhash, nthash) 67 dce = rpctransport.get_dce_rpc() 68 # dce.set_max_fragment_size(32) 69 dce.connect() 70 dce.bind(scmr.MSRPC_UUID_SCMR) 71 lpMachineName = 'DUMMY\x00' 72 lpDatabaseName = 'ServicesActive\x00' 73 desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \ 74 scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | \ 75 scmr.SERVICE_ENUMERATE_DEPENDENTS | scmr.SC_MANAGER_ENUMERATE_SERVICE 76 77 resp = scmr.hROpenSCManagerW(dce, lpMachineName, lpDatabaseName, desiredAccess) 78 scHandle = resp['lpScHandle'] 79 80 return dce, rpctransport, scHandle 81 82 def connect(self): 83 if self.rrpStarted is not True: 84 dce, rpctransport, scHandle = self.connect_scmr() 85 86 desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \ 87 scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS 88 89 resp = scmr.hROpenServiceW(dce, scHandle, 'RemoteRegistry\x00', desiredAccess) 90 resp.dump() 91 serviceHandle = resp['lpServiceHandle'] 92 93 try: 94 resp = scmr.hRStartServiceW(dce, serviceHandle ) 95 except Exception as e: 96 if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') >=0: 97 pass 98 else: 99 raise 100 resp = scmr.hRCloseServiceHandle(dce, scHandle) 101 self.rrpStarted = True 102 103 rpctransport = transport.DCERPCTransportFactory(self.stringBinding) 104 if len(self.hashes) > 0: 105 lmhash, nthash = self.hashes.split(':') 106 else: 107 lmhash = '' 108 nthash = '' 109 if hasattr(rpctransport, 'set_credentials'): 110 # This method exists only for selected protocol sequences. 111 rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash) 112 dce = rpctransport.get_dce_rpc() 113 #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) 114 dce.connect() 115 dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax = self.ts) 116 resp = rrp.hOpenLocalMachine(dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS) 117 118 return dce, rpctransport, resp['phKey'] 119 120 def test_OpenClassesRoot(self): 121 dce, rpctransport, phKey = self.connect() 122 request = rrp.OpenClassesRoot() 123 request['ServerName'] = NULL 124 request['samDesired'] = MAXIMUM_ALLOWED 125 resp = dce.request(request) 126 resp.dump() 127 128 def test_OpenCurrentUser(self): 129 dce, rpctransport, phKey = self.connect() 130 request = rrp.OpenCurrentUser() 131 request['ServerName'] = NULL 132 request['samDesired'] = MAXIMUM_ALLOWED 133 resp = dce.request(request) 134 resp.dump() 135 136 def test_OpenLocalMachine(self): 137 dce, rpctransport, phKey = self.connect() 138 request = rrp.OpenLocalMachine() 139 request['ServerName'] = NULL 140 request['samDesired'] = MAXIMUM_ALLOWED 141 resp = dce.request(request) 142 resp.dump() 143 144 def test_OpenPerformanceData(self): 145 dce, rpctransport, phKey = self.connect() 146 request = rrp.OpenPerformanceData() 147 request['ServerName'] = NULL 148 request['samDesired'] = MAXIMUM_ALLOWED 149 resp = dce.request(request) 150 resp.dump() 151 152 def test_OpenUsers(self): 153 dce, rpctransport, phKey = self.connect() 154 request = rrp.OpenUsers() 155 request['ServerName'] = NULL 156 request['samDesired'] = MAXIMUM_ALLOWED 157 resp = dce.request(request) 158 resp.dump() 159 160 def test_BaseRegCloseKey(self): 161 dce, rpctransport, phKey = self.connect() 162 request = rrp.BaseRegCloseKey() 163 request['hKey'] = phKey 164 resp = dce.request(request) 165 resp.dump() 166 167 def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self): 168 dce, rpctransport, phKey = self.connect() 169 resp = rrp.hOpenClassesRoot(dce) 170 resp.dump() 171 regHandle = resp['phKey'] 172 173 resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00') 174 resp.dump() 175 phKey = resp['phkResult'] 176 177 try: 178 resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ, 'HOLA COMO TE VA\x00') 179 resp.dump() 180 except Exception as e: 181 print(e) 182 183 type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00') 184 #print data 185 186 resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00') 187 resp.dump() 188 189 resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00') 190 resp.dump() 191 self.assertTrue( 'HOLA COMO TE VA\x00' == data ) 192 193 def test_BaseRegCreateKey_BaseRegSetValue_BaseRegDeleteKey(self): 194 dce, rpctransport, phKey = self.connect() 195 request = rrp.OpenClassesRoot() 196 request['ServerName'] = NULL 197 request['samDesired'] = MAXIMUM_ALLOWED 198 resp = dce.request(request) 199 resp.dump() 200 regHandle = resp['phKey'] 201 202 request = rrp.BaseRegCreateKey() 203 request['hKey'] = regHandle 204 request['lpSubKey'] = 'BETO\x00' 205 request['lpClass'] = NULL 206 request['dwOptions'] = 0x00000001 207 request['samDesired'] = MAXIMUM_ALLOWED 208 request['lpSecurityAttributes']['RpcSecurityDescriptor']['lpSecurityDescriptor'] = NULL 209 request['lpdwDisposition'] = rrp.REG_CREATED_NEW_KEY 210 resp = dce.request(request) 211 resp.dump() 212 phKey = resp['phkResult'] 213 214 request = rrp.BaseRegSetValue() 215 request['hKey'] = phKey 216 request['lpValueName'] = 'BETO\x00' 217 request['dwType'] = rrp.REG_SZ 218 request['lpData'] = 'HOLA COMO TE VA\x00'.encode('utf-16le') 219 request['cbData'] = len('HOLA COMO TE VA\x00')*2 220 221 try: 222 resp = dce.request(request) 223 resp.dump() 224 except Exception as e: 225 print(e) 226 227 request = rrp.BaseRegQueryValue() 228 request['hKey'] = phKey 229 request['lpValueName'] = 'BETO\x00' 230 request['lpData'] = b' '*100 231 request['lpcbData'] = 100 232 request['lpcbLen'] = 100 233 resp = dce.request(request) 234 resp.dump() 235 resData = resp['lpData'] 236 237 request = rrp.BaseRegDeleteKey() 238 request['hKey'] = regHandle 239 request['lpSubKey'] = 'BETO\x00' 240 resp = dce.request(request) 241 resp.dump() 242 print(b''.join(resData).decode('utf-16le')) 243 self.assertTrue( 'HOLA COMO TE VA\x00' == b''.join(resData).decode('utf-16le')) 244 245 def test_BaseRegEnumKey(self): 246 dce, rpctransport, phKey = self.connect() 247 248 request = rrp.BaseRegOpenKey() 249 request['hKey'] = phKey 250 request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' 251 request['dwOptions'] = 0x00000001 252 request['samDesired'] = MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS 253 resp = dce.request(request) 254 255 request = rrp.BaseRegEnumKey() 256 request['hKey'] = resp['phkResult'] 257 request['dwIndex'] = 1 258 # I gotta access the fields manually :s 259 request.fields['lpNameIn'].fields['MaximumLength'] = 510 260 request.fields['lpNameIn'].fields['Data'].fields['Data'].fields['MaximumCount'] = 255 261 request['lpClassIn'] = ' '*100 262 request['lpftLastWriteTime'] = NULL 263 resp = dce.request(request) 264 resp.dump() 265 266 def test_hBaseRegEnumKey(self): 267 dce, rpctransport, phKey = self.connect() 268 269 request = rrp.BaseRegOpenKey() 270 request['hKey'] = phKey 271 request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' 272 request['dwOptions'] = 0x00000001 273 request['samDesired'] = MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS 274 resp = dce.request(request) 275 276 resp = rrp.hBaseRegEnumKey(dce, resp['phkResult'], 1 ) 277 resp.dump() 278 279 def test_BaseRegEnumValue(self): 280 dce, rpctransport, phKey = self.connect() 281 282 request = rrp.BaseRegOpenKey() 283 request['hKey'] = phKey 284 request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' 285 request['dwOptions'] = 0x00000001 286 request['samDesired'] = MAXIMUM_ALLOWED 287 resp = dce.request(request) 288 289 request = rrp.BaseRegEnumValue() 290 request['hKey'] = resp['phkResult'] 291 request['dwIndex'] = 6 292 request['lpValueNameIn'] = ' '*100 293 request['lpData'] = b' '*100 294 request['lpcbData'] = 100 295 request['lpcbLen'] = 100 296 resp = dce.request(request) 297 resp.dump() 298 299 def test_hBaseRegEnumValue(self): 300 dce, rpctransport, phKey = self.connect() 301 302 request = rrp.BaseRegOpenKey() 303 request['hKey'] = phKey 304 request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' 305 request['dwOptions'] = 0x00000001 306 request['samDesired'] = MAXIMUM_ALLOWED 307 resp = dce.request(request) 308 309 resp = rrp.hBaseRegEnumValue(dce, resp['phkResult'], 7, 10) 310 resp.dump() 311 312 313 def test_BaseRegFlushKey(self): 314 dce, rpctransport, phKey = self.connect() 315 316 resp = rrp.hBaseRegFlushKey(dce,phKey) 317 resp.dump() 318 319 def test_BaseRegGetKeySecurity(self): 320 dce, rpctransport, phKey = self.connect() 321 322 resp = rrp.hBaseRegGetKeySecurity(dce, phKey, OWNER_SECURITY_INFORMATION) 323 resp.dump() 324 325 def test_BaseRegOpenKey(self): 326 dce, rpctransport, phKey = self.connect() 327 328 request = rrp.BaseRegOpenKey() 329 request['hKey'] = phKey 330 request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' 331 request['dwOptions'] = 0x00000001 332 request['samDesired'] = MAXIMUM_ALLOWED 333 resp = dce.request(request) 334 resp.dump() 335 336 def test_hBaseRegQueryInfoKey(self): 337 dce, rpctransport, phKey = self.connect() 338 339 resp = rrp.hBaseRegOpenKey(dce, phKey, 'SYSTEM\\CurrentControlSet\\Control\\Lsa\\JD\x00' ) 340 341 resp = rrp.hBaseRegQueryInfoKey(dce,resp['phkResult']) 342 resp.dump() 343 344 def test_BaseRegQueryValue(self): 345 dce, rpctransport, phKey = self.connect() 346 347 request = rrp.BaseRegOpenKey() 348 request['hKey'] = phKey 349 request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' 350 request['dwOptions'] = 0x00000001 351 request['samDesired'] = MAXIMUM_ALLOWED 352 resp = dce.request(request) 353 resp.dump() 354 355 request = rrp.BaseRegQueryValue() 356 request['hKey'] = resp['phkResult'] 357 request['lpValueName'] = 'ProductName\x00' 358 request['lpData'] = b' '*100 359 request['lpcbData'] = 100 360 request['lpcbLen'] = 100 361 resp = dce.request(request) 362 resp.dump() 363 364 def test_hBaseRegQueryValue(self): 365 dce, rpctransport, phKey = self.connect() 366 367 resp = rrp.hBaseRegOpenKey(dce, phKey, 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' ) 368 resp.dump() 369 370 resp = rrp.hBaseRegQueryValue(dce, resp['phkResult'], 'ProductName\x00') 371 372 def test_BaseRegReplaceKey(self): 373 dce, rpctransport, phKey = self.connect() 374 375 request = rrp.BaseRegReplaceKey() 376 request['hKey'] = phKey 377 request['lpSubKey'] = 'SOFTWARE\x00' 378 request['lpNewFile'] = 'SOFTWARE\x00' 379 request['lpOldFile'] = 'SOFTWARE\x00' 380 try: 381 resp = dce.request(request) 382 resp.dump() 383 except Exception as e: 384 if str(e).find('ERROR_FILE_NOT_FOUND') < 0: 385 raise 386 387 def test_hBaseRegReplaceKey(self): 388 dce, rpctransport, phKey = self.connect() 389 390 try: 391 resp = rrp.hBaseRegReplaceKey(dce, phKey, 'SOFTWARE\x00', 'SOFTWARE\x00', 'SOFTWARE\x00') 392 resp.dump() 393 except Exception as e: 394 if str(e).find('ERROR_FILE_NOT_FOUND') < 0: 395 raise 396 397 def test_BaseRegRestoreKey(self): 398 dce, rpctransport, phKey = self.connect() 399 400 request = rrp.BaseRegRestoreKey() 401 request['hKey'] = phKey 402 request['lpFile'] = 'SOFTWARE\x00' 403 request['Flags'] = rrp.REG_REFRESH_HIVE 404 try: 405 resp = dce.request(request) 406 resp.dump() 407 except Exception as e: 408 if str(e).find('ERROR_FILE_NOT_FOUND') < 0: 409 raise 410 411 def test_hBaseRegRestoreKey(self): 412 dce, rpctransport, phKey = self.connect() 413 414 try: 415 resp = rrp.hBaseRegRestoreKey(dce, phKey, 'SOFTWARE\x00') 416 resp.dump() 417 except Exception as e: 418 if str(e).find('ERROR_FILE_NOT_FOUND') < 0: 419 raise 420 421 def test_BaseRegSaveKey(self): 422 dce, rpctransport, phKey = self.connect() 423 424 request = rrp.OpenCurrentUser() 425 request['ServerName'] = NULL 426 request['samDesired'] = MAXIMUM_ALLOWED 427 resp = dce.request(request) 428 resp.dump() 429 430 request = rrp.BaseRegSaveKey() 431 request['hKey'] = resp['phKey'] 432 request['lpFile'] = 'BETUSFILE2\x00' 433 request['pSecurityAttributes'] = NULL 434 resp = dce.request(request) 435 resp.dump() 436 # I gotta remove the file now :s 437 smb = rpctransport.get_smb_connection() 438 smb.deleteFile('ADMIN$', 'System32\\BETUSFILE2') 439 440 def test_hBaseRegSaveKey(self): 441 dce, rpctransport, phKey = self.connect() 442 443 resp = rrp.hOpenCurrentUser(dce) 444 resp.dump() 445 446 resp = rrp.hBaseRegSaveKey(dce,resp['phKey'],'BETUSFILE2\x00') 447 resp.dump() 448 # I gotta remove the file now :s 449 smb = rpctransport.get_smb_connection() 450 smb.deleteFile('ADMIN$', 'System32\\BETUSFILE2') 451 452 def test_BaseRegGetVersion(self): 453 dce, rpctransport, phKey = self.connect() 454 455 request = rrp.BaseRegGetVersion() 456 request['hKey'] = phKey 457 resp = dce.request(request) 458 resp.dump() 459 460 def test_hBaseRegGetVersion(self): 461 dce, rpctransport, phKey = self.connect() 462 463 resp = rrp.hBaseRegGetVersion(dce, phKey) 464 resp.dump() 465 466 def test_OpenCurrentConfig(self): 467 dce, rpctransport, phKey = self.connect() 468 469 request = rrp.OpenCurrentConfig() 470 request['ServerName'] = NULL 471 request['samDesired'] = MAXIMUM_ALLOWED 472 resp = dce.request(request) 473 resp.dump() 474 475 def test_hOpenCurrentConfig(self): 476 dce, rpctransport, phKey = self.connect() 477 478 resp = rrp.hOpenCurrentConfig(dce) 479 resp.dump() 480 481 def test_BaseRegQueryMultipleValues(self): 482 dce, rpctransport, phKey = self.connect() 483 484 request = rrp.BaseRegOpenKey() 485 request['hKey'] = phKey 486 request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' 487 request['dwOptions'] = 0x00000001 488 request['samDesired'] = MAXIMUM_ALLOWED | rrp.KEY_QUERY_VALUE 489 resp = dce.request(request) 490 resp.dump() 491 492 request = rrp.BaseRegQueryMultipleValues() 493 494 item1 = rrp.RVALENT() 495 item1['ve_valuename'] = 'ProductName\x00' 496 item1['ve_valuelen'] = len('ProductName\x00') 497 item1['ve_valueptr'] = NULL 498 item1['ve_type'] = rrp.REG_SZ 499 500 item2 = rrp.RVALENT() 501 item2['ve_valuename'] = 'SystemRoot\x00' 502 item2['ve_valuelen'] = len('SystemRoot\x00') 503 item1['ve_valueptr'] = NULL 504 item2['ve_type'] = rrp.REG_SZ 505 506 item3 = rrp.RVALENT() 507 item3['ve_valuename'] = 'EditionID\x00' 508 item3['ve_valuelen'] = len('EditionID\x00') 509 item3['ve_valueptr'] = NULL 510 item3['ve_type'] = rrp.REG_SZ 511 512 request['hKey'] = resp['phkResult'] 513 request['val_listIn'].append(item1) 514 request['val_listIn'].append(item2) 515 request['val_listIn'].append(item3) 516 request['num_vals'] = len(request['val_listIn']) 517 request['lpvalueBuf'] = list(b' '*128) 518 request['ldwTotsize'] = 128 519 resp = dce.request(request) 520 resp.dump() 521 522 def test_hBaseRegQueryMultipleValues(self): 523 dce, rpctransport, phKey = self.connect() 524 525 resp = rrp.hBaseRegOpenKey(dce, phKey, 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00') 526 resp.dump() 527 528 529 valueIn = list() 530 item1 = {} 531 item1['ValueName'] = 'ProductName\x00' 532 item1['ValueType'] = rrp.REG_SZ 533 valueIn.append(item1) 534 535 item2 = {} 536 item2['ValueName'] = 'InstallDate\x00' 537 item2['ValueType'] = rrp.REG_DWORD 538 valueIn.append(item2) 539 540 item3 = {} 541 item3['ValueName'] = 'DigitalProductId\x00' 542 item3['ValueType'] = rrp.REG_BINARY 543 #valueIn.append(item3) 544 545 rrp.hBaseRegQueryMultipleValues(dce, resp['phkResult'], valueIn) 546 547 def test_BaseRegSaveKeyEx(self): 548 dce, rpctransport, phKey = self.connect() 549 550 request = rrp.OpenCurrentUser() 551 request['ServerName'] = NULL 552 request['samDesired'] = MAXIMUM_ALLOWED 553 resp = dce.request(request) 554 resp.dump() 555 556 request = rrp.BaseRegSaveKeyEx() 557 request['hKey'] = resp['phKey'] 558 request['lpFile'] = 'BETUSFILE2\x00' 559 request['pSecurityAttributes'] = NULL 560 request['Flags'] = 4 561 resp = dce.request(request) 562 resp.dump() 563 # I gotta remove the file now :s 564 smb = rpctransport.get_smb_connection() 565 smb.deleteFile('ADMIN$', 'System32\\BETUSFILE2') 566 567 def test_hBaseRegSaveKeyEx(self): 568 dce, rpctransport, phKey = self.connect() 569 570 resp = rrp.hOpenCurrentUser(dce) 571 resp.dump() 572 573 resp = rrp.hBaseRegSaveKeyEx(dce, resp['phKey'], 'BETUSFILE2\x00') 574 resp.dump() 575 # I gotta remove the file now :s 576 smb = rpctransport.get_smb_connection() 577 smb.deleteFile('ADMIN$', 'System32\\BETUSFILE2') 578 579 def test_OpenPerformanceText(self): 580 dce, rpctransport, phKey = self.connect() 581 582 request = rrp.OpenPerformanceText() 583 request['ServerName'] = NULL 584 request['samDesired'] = MAXIMUM_ALLOWED 585 resp = dce.request(request) 586 resp.dump() 587 588 def test_hOpenPerformanceText(self): 589 dce, rpctransport, phKey = self.connect() 590 591 resp = rrp.hOpenPerformanceText(dce) 592 resp.dump() 593 594 def test_OpenPerformanceNlsText(self): 595 dce, rpctransport, phKey = self.connect() 596 597 request = rrp.OpenPerformanceNlsText() 598 request['ServerName'] = NULL 599 request['samDesired'] = MAXIMUM_ALLOWED 600 resp = dce.request(request) 601 resp.dump() 602 603 def test_hOpenPerformanceNlsText(self): 604 dce, rpctransport, phKey = self.connect() 605 606 resp = rrp.hOpenPerformanceNlsText(dce) 607 resp.dump() 608 609 def test_BaseRegQueryMultipleValues2(self): 610 dce, rpctransport, phKey = self.connect() 611 612 request = rrp.BaseRegOpenKey() 613 request['hKey'] = phKey 614 request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' 615 request['dwOptions'] = 0x00000001 616 request['samDesired'] = MAXIMUM_ALLOWED | rrp.KEY_QUERY_VALUE 617 resp = dce.request(request) 618 resp.dump() 619 620 request = rrp.BaseRegQueryMultipleValues2() 621 622 item1 = rrp.RVALENT() 623 item1['ve_valuename'] = 'ProductName\x00' 624 item1['ve_valuelen'] = len('ProductName\x00') 625 item1['ve_valueptr'] = NULL 626 item1['ve_type'] = rrp.REG_SZ 627 628 item2 = rrp.RVALENT() 629 item2['ve_valuename'] = 'SystemRoot\x00' 630 item2['ve_valuelen'] = len('SystemRoot\x00') 631 item1['ve_valueptr'] = NULL 632 item2['ve_type'] = rrp.REG_SZ 633 634 item3 = rrp.RVALENT() 635 item3['ve_valuename'] = 'EditionID\x00' 636 item3['ve_valuelen'] = len('EditionID\x00') 637 item3['ve_valueptr'] = NULL 638 item3['ve_type'] = rrp.REG_SZ 639 640 request['hKey'] = resp['phkResult'] 641 request['val_listIn'].append(item1) 642 request['val_listIn'].append(item2) 643 request['val_listIn'].append(item3) 644 request['num_vals'] = len(request['val_listIn']) 645 request['lpvalueBuf'] = list(b' '*128) 646 request['ldwTotsize'] = 128 647 resp = dce.request(request) 648 resp.dump() 649 650 def test_BaseRegDeleteKeyEx(self): 651 dce, rpctransport, phKey = self.connect() 652 request = rrp.OpenClassesRoot() 653 request['ServerName'] = NULL 654 request['samDesired'] = MAXIMUM_ALLOWED 655 resp = dce.request(request) 656 resp.dump() 657 regHandle = resp['phKey'] 658 659 request = rrp.BaseRegCreateKey() 660 request['hKey'] = regHandle 661 request['lpSubKey'] = 'BETO\x00' 662 request['lpClass'] = NULL 663 request['dwOptions'] = 0x00000001 664 request['samDesired'] = MAXIMUM_ALLOWED 665 request['lpSecurityAttributes']['RpcSecurityDescriptor']['lpSecurityDescriptor'] = NULL 666 request['lpdwDisposition'] = rrp.REG_CREATED_NEW_KEY 667 resp = dce.request(request) 668 resp.dump() 669 670 request = rrp.BaseRegDeleteKeyEx() 671 request['hKey'] = regHandle 672 request['lpSubKey'] = 'BETO\x00' 673 request['AccessMask'] = rrp.KEY_WOW64_32KEY 674 request['Reserved'] = 0 675 resp = dce.request(request) 676 resp.dump() 677 678 def test_BaseRegLoadKey_BaseRegUnLoadKey(self): 679 dce, rpctransport, phKey = self.connect() 680 681 request = rrp.BaseRegOpenKey() 682 request['hKey'] = phKey 683 request['lpSubKey'] = 'SECURITY\x00' 684 request['dwOptions'] = 0x00000001 685 request['samDesired'] = MAXIMUM_ALLOWED 686 resp = dce.request(request) 687 resp.dump() 688 689 request = rrp.BaseRegSaveKey() 690 request['hKey'] = resp['phkResult'] 691 request['lpFile'] = 'SEC\x00' 692 request['pSecurityAttributes'] = NULL 693 resp = dce.request(request) 694 resp.dump() 695 696 request = rrp.BaseRegLoadKey() 697 request['hKey'] = phKey 698 request['lpSubKey'] = 'BETUS\x00' 699 request['lpFile'] = 'SEC\x00' 700 resp = dce.request(request) 701 resp.dump() 702 703 request = rrp.BaseRegUnLoadKey() 704 request['hKey'] = phKey 705 request['lpSubKey'] = 'BETUS\x00' 706 resp = dce.request(request) 707 resp.dump() 708 709 smb = rpctransport.get_smb_connection() 710 smb.deleteFile('ADMIN$', 'System32\\SEC') 711 712 def test_hBaseRegLoadKey_hBaseRegUnLoadKey(self): 713 dce, rpctransport, phKey = self.connect() 714 715 resp = rrp.hBaseRegOpenKey(dce,phKey, 'SECURITY\x00') 716 resp.dump() 717 718 request = rrp.BaseRegSaveKey() 719 request['hKey'] = resp['phkResult'] 720 request['lpFile'] = 'SEC\x00' 721 request['pSecurityAttributes'] = NULL 722 resp = dce.request(request) 723 resp.dump() 724 725 resp = rrp.hBaseRegLoadKey(dce, phKey,'BETUS\x00', 'SEC\x00' ) 726 resp.dump() 727 728 resp = rrp.hBaseRegUnLoadKey(dce, phKey, 'BETUS\x00') 729 resp.dump() 730 731 smb = rpctransport.get_smb_connection() 732 smb.deleteFile('ADMIN$', 'System32\\SEC') 733 734 735 class SMBTransport(RRPTests): 736 def setUp(self): 737 RRPTests.setUp(self) 738 configFile = ConfigParser.ConfigParser() 739 configFile.read('dcetests.cfg') 740 self.username = configFile.get('SMBTransport', 'username') 741 self.domain = configFile.get('SMBTransport', 'domain') 742 self.serverName = configFile.get('SMBTransport', 'servername') 743 self.password = configFile.get('SMBTransport', 'password') 744 self.machine = configFile.get('SMBTransport', 'machine') 745 self.hashes = configFile.get('SMBTransport', 'hashes') 746 self.stringBinding = r'ncacn_np:%s[\PIPE\winreg]' % self.machine 747 self.ts = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0') 748 self.rrpStarted = False 749 750 class SMBTransport64(RRPTests): 751 def setUp(self): 752 RRPTests.setUp(self) 753 configFile = ConfigParser.ConfigParser() 754 configFile.read('dcetests.cfg') 755 self.username = configFile.get('SMBTransport', 'username') 756 self.domain = configFile.get('SMBTransport', 'domain') 757 self.serverName = configFile.get('SMBTransport', 'servername') 758 self.password = configFile.get('SMBTransport', 'password') 759 self.machine = configFile.get('SMBTransport', 'machine') 760 self.hashes = configFile.get('SMBTransport', 'hashes') 761 self.stringBinding = r'ncacn_np:%s[\PIPE\winreg]' % self.machine 762 self.ts = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0') 763 self.rrpStarted = False 764 765 class TCPTransport(RRPTests): 766 def setUp(self): 767 RRPTests.setUp(self) 768 configFile = ConfigParser.ConfigParser() 769 configFile.read('dcetests.cfg') 770 self.username = configFile.get('TCPTransport', 'username') 771 self.domain = configFile.get('TCPTransport', 'domain') 772 self.serverName = configFile.get('TCPTransport', 'servername') 773 self.password = configFile.get('TCPTransport', 'password') 774 self.machine = configFile.get('TCPTransport', 'machine') 775 self.hashes = configFile.get('TCPTransport', 'hashes') 776 self.stringBinding = epm.hept_map(self.machine, rrp.MSRPC_UUID_RRP, protocol = 'ncacn_ip_tcp') 777 self.rrpStarted = False 778 779 780 # Process command-line arguments. 781 if __name__ == '__main__': 782 import sys 783 if len(sys.argv) > 1: 784 testcase = sys.argv[1] 785 suite = unittest.TestLoader().loadTestsFromTestCase(globals()[testcase]) 786 else: 787 suite = unittest.TestLoader().loadTestsFromTestCase(SMBTransport) 788 suite.addTests(unittest.TestLoader().loadTestsFromTestCase(SMBTransport64)) 789 #suite.addTests(unittest.TestLoader().loadTestsFromTestCase(TCPTransport)) 790 unittest.TextTestRunner(verbosity=1).run(suite)